Home Security Cisco Security Lab notes – WB1 Lab4 Part 1

Lab notes – WB1 Lab4 Part 1

Posted on by jimmy
Today I started to work with IPExpert CCIE Security workbook 1 Lab 4a – VPN-solutions. During my work I made the following notes which might be interresting to read for other CCIE-candidates. I will also from now on continue to do these notes and post them on this blog. Explaining and writing is simply a great way for me to learn.
Also, if my boss some day ask me what the heck I am doing all these work-hours, I will gladly give him a link to this blog. 🙂

Task 4.1 – IOS CA

This was quite straight-forward. Make an IOS become a root certificate authority for later use.
  • What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
  • When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
  • Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.2 – IOS L2L

This is all about enrollment of certificates from the CA in previous task to two IOS-routers and setup an ipsec-tunnel.

  • What confuses me is that there is nothing in the configuation telling it to authenticate with certificates. All there is compared to “normal” preshared-key-auth is a missing “authen pre-share”. Which ofcours means that authentication is done with the certificates by default. I understand, I just have to get used to the fact that there is no command visible in the crypto isakmp policy saying “authentication MY-CA-TRUSTPOINT”.
  • When entering a wrong peer in the crypto map, it´s not just enough to re-enter a new ip. Since a crypto map sequence can have multiple peers for redundancy the old one doesnt go away. The effect is that the tunnel goes up, after a while, since it first tries with the bad peer ip before trying the second one. Remove the first.
  • Me being more used to vpns in asa than in ios usually tear down vpn-tunnels with the commands “clear crypto isakmp sa” and “clear crypto ipsec sa”. In IOS the corresponding command is “clear crypto session”. Cool.

Task 4.3 – VPN IOS-ASA

The task was to setup a tunnel between IOS and ASA. Preshared-key, all straight-forward. However, I was asked to prioritize to certan traffic going into the tunnel from the IOS-router. This was done by creating a service-policy on outside-interface like this:


class-map match-all VPN-CLASS

match access-group 150  ! The ACL that defines the traffic to prioritize

policy-map VPN-POLICY

class VPNCLASS

priority 200 (I was also assign to restrict the prioritized traffic to 200kbps)

interface Fa1/1

service-policy output VPN-POLICY

  • And, dont forget to do “qos pre-classify” on the crypto map! Otherwise your class-map has to look for ESP-traffic and that is not very granular, is it? 🙂
  • “create lo3 on r2, assign it ip 192.168.3.2/24” and “create a vpn tunnel between Vlan100 and the newly created loopback network”. I used “host 192.168.3.2” in acl, but it clearly states “the loopback _network_”. Darn!

Task 4.4 L2L Aggressive mode with PSK

  • Stuck Twice.
I PROMISE NEVER TO FORGET TO APPLY THE CRYPTO MAP TO THE INTERFACE AGAIN
I PROMISE NOT TO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN
I PROMISE NOTTO FORGET TO APPLY THE CRYPTO MAP TO IF AGAIN
  • Stuck again. Couldn´t get the tunnel up even when comparing my configs with the solution guide. After getting help from OSL I made it:

Hi


I am struggling with this task, I simply cannot get the tunnel up. And I cant see what Ive done wrong.

Background: Make a tunnle between r2 and r5. Assume that r5-ip is dynamic, the tunnel should only be initiated from r5. (that is: dynamic map on r2).

The relevant parts of the config looks like this:

Answer from Brandon:

Not sure if this is it or not but you have crypto isakmp key ipexpert
hostname r5.ipexpert.com and the debug shows    FQDN name    : R5.ipexpert.com

Voila! Changed the “r5” to “R5” and it started working!

Task 4.5 L2L Overlapping subnets.

The task was to create a tunnel between 4 routers to protect traffic between internal nets. The restrictions was: no static routing, no crypto maps and no GRE.
  • I havent worked  very much with tunnel-interfaces but this was a pleasant first date. It´s kind of magic making a virtual interface and make the router route traffic thru it. Even more coolish when you encrypt the traffic and make a routing protocol talk thru the tunnel.
  • Since I wasn´t allowed to use static routing I had to create loopback-interfaces to force knowledge of that local networks translated address-space into the routing-protocol. I was thinking of some kind of “add-reverse-route”-option for the “ip nat source static network”-command but I guess there is no such solution? Or could this routing-issue be solved in another way?

Task 4.6 – Easy VPN Server on IOS

  • This task deals with connecting a plain ipsec-client from XP workstation to an VPN-server on ios. First step was to verify connectivity on XP. Wrong IP, changing it. Now, a good advice from someone “who knows”: Do NOT add a default route on the student NIC of the labb pc:s. It has 2 nics and the other one is convinently named “Outside NIC – Do not Touch!” which is fine because thats how you reach the machine over internet. But if you add a default “gateway” on the student nic (which you are allowed to fool with) you will convert that kind little XP-machine into an unpredicible beast. If you are lucky u will reach it after a while and remove that default gw. So I´ve heard. 🙂
  • IOS auto-enroll and the enroll-feature of ipsec vpn client is cool. Just point it to http://<ios ca ip>/cgi-bin/pkiclient.exe and request a certificate.
  • I had to look at the solution guide quite alot in this case. Even when doing that I couldnt get the vpn-client to connect. I just got these error messages:

Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)
Feb 26 12:35:24.740: ISAKMP:(1011):deleting SA reason "Recevied fatal informational" state (R) CONF_XAUTH    (peer 8.9.2.200)

  • Suddenly I looked at the bottom right corner of my screen and saw tht the time was 3 minutes until the lab-period was over. I have never backed up a bunch of routers this fast before. First thing next lab-attempt will be to load the configs and troubleshoot the EasyVPN-config of R4.
Conclusion of this lab so far: It´s intense! I´ve been configuring plenty of VPN-solutions before, but I guess that my experience covers only 20-30% of the VPN-related topics in this lab. All these profiles-configurations in IOS are all new to me. I guess I have some CCO-chapters to read during the weekend…
Here are my current configurations: asa1, r2, r4, r5 and r6.
Posted in Cisco Security, Uncategorized
One comment on “Lab notes – WB1 Lab4 Part 1
  1. Jason Stanley says:
    May 9, 2013 at 14:46

    I read the about the topic elsewhere too. But you have
    explained it in nice way.

    http://www.isolcertificationtraining.com/cisco-training/

Signuppp

[mc4wp_form id="2457"]
Website Security Test